146 New Vulnerabilities All Come Preinstalled on Android Phones

When you buy an Android smartphone, it’s rarely pure Android. Manufacturers squeeze in their own apps or give it a fresh coat of interface. Carriers do it too. The resulting stew of preinstalled software and vanilla Android sometimes turns out to be rancid, putting flaws and vulnerabilities on the phone before you even take it out of the box. For proof of how bad it is, look no further than the 146 vulnerabilities—across 29 Android smartphone makers—that have just been simultaneously revealed.

Yes, that’s 146, all discovered by security firm Kryptowire and detailed one by one in a new gargantuan disclosure. Most of the implicated companies operate primarily in Asia, but the list includes global heavyweights like Samsung and Asus as well. While the bugs vary in severity and scope—and in some cases, the manufacturers dispute that they’re a threat at all—they illustrate an endemic problem for Android, one that Google has acknowledged.

The vulnerabilities Kryptowire turned up, in research funded by the Department of Homeland Security, encompass everything from unauthorized audio recording to command execution to the ability to modify system properties and wireless settings. What makes them so pernicious, though, is how they get on phones, and how hard they are to remove.

“We wanted to understand how easy it is for someone to be able to penetrate the device without the user downloading an application,” says Kryptowire CEO Angelos Stavrou. “If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases the user cannot do anything to remove the offending functionality.”

It’s one thing if you fall for a shady Fortnite download. At least that was a choice you made, and you can also uninstall it. The vulnerabilities Kryptowire found are often preinstalled at a system level, with no way to purge them from your device.

If all of this sounds vaguely familiar, it’s because Kryptowire has been down this road before. A little over a year ago it disclosed the results of a similar round of research that found this same class of defects built into 10 popular Android devices. The difference now—and the reason the work is so much more comprehensive—is that the team has built a tool that scans firmware for issues even if they don’t have the device physically in hand. Kryptowire’s system then automatically creates a proof of concept, in a matter of minutes, that validates the vulnerability’s existence and cuts down on false positives. The tool looks for “unsafe states,” as Stavrou puts it, that would allow an application to take a screenshot or record audio or create a network connection when it shouldn’t.

The issue often comes down to trust. Many of the vulnerabilities Kryptowire found enable apps to do things like change settings without your knowledge or consent.

“We believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system,” says Stavrou. “This should not be an automatic thing.”

“We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these,” Google said in a statement. Google has its own vetting process, called the Build Test Suite, that checks software for potentially harmful preinstalled apps. BTS launched in 2018, and in its first year prevented 242 of those problematic installs from reaching consumers.

The Kryptowire research suggests that BTS has room for improvement. In fairness, it’s a problem of enormous scope. According to a presentation on this very topic given this summer by Google security researcher Maddie Stone, every Android device ships with 100 to 400 preinstalled apps. Many of those apps originate not from the company that’s making the physical device, but from third parties that provide the code for various under-the-hood tasks, or from carriers who have a vested interest in everything from messaging to payments. Most manufacturers are ill-equipped to parse all of those apps for potential risks, and even the largest still allow some sort of carrier influence.

“The ecosystem involves hundreds of vendors that are not necessarily cooperating with each other or have any process for quality assurance. Or they might, but some of them have more than others,” says Stavrou. “And in the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user.”

Kryptowire began the lengthy process of notifying Google and the 29 manufacturers of its findings over the summer. Not all of those affected agree that the findings are all that concerning. Kryptowire disclosed 33 vulnerabilities in Samsung devices, stemming from six preinstalled apps. (It also found bugs in two additional apps, but those were present only in firmware images that bad actors had injected malware into, and weren’t included in the final report.)

Two of those six were developed by outside partners; though they still affect Samsung devices, the consumer electronics giant directed the researchers to those other companies. As for the remaining four, Samsung argues that the broader Android Security framework renders them harmless. “Since being notified by Kryptowire, we have promptly investigated the apps in question and have determined that appropriate protections are already in place,” Samsung said in a statement.

Kryptowire disagrees. “The Samsung apps can be used by third-party supply chain actors to gain access to information without disclosing it or requiring permissions,” says Tom Karygiannis, the company’s vice president of product. “The current design of the Android Security framework does not prevent that from happening today.”

At least Samsung has the resources to investigate the reported vulnerabilities. Many Android manufacturers offer no clear path for reporting bugs or for patching them when found. Outside of Google’s own Pixel line and a handful of well-resourced manufacturers, security updates are slow to hit Android devices under even the best of circumstances. When those flaws come from someone else’s code, well, good luck.

If there’s a silver lining here, it’s that Google has taken proactive steps to tamp down on the problem of preinstalled bugs. But as Kryptowire’s sweep shows, the overall ecosystem has a long way to go.

More Great WIRED Stories

Read More